Document how to get started #108
Conversation
| Helm is central to how we deploy all services on kubernetes. | ||
|
|
||
| * [helm]({{< relref "tools/helm.md" >}}) is essentially the package manager for Kubernetes (like `npm` for Node, `gem` for Ruby, and `rpm` for RHEL) | ||
| * [helm charts](/helm-charts/) are how kubernetes resources are templatized using go templates |
content/geodesic/module/_index.md
Outdated
| @@ -5,3 +5,49 @@ description: "Geodesic modules are Git repositories that extend the Geodesic bas | |||
| {{% dialog type="info" icon="fa fa-book" title="Read More" %}} | |||
| ⇠ Select one of these pages to learn more about the topic. | |||
| {{% /dialog %}} | |||
|
|
|||
| We believe that infrastructure as code should be treated just like all other code: tested, bundled into artifacts and automatically deployed. This is what `geodesic` solves. A geodesic module is a docker container/image contains all the code necessary deploy infrastructure. | |||
There was a problem hiding this comment.
A geodesic module is a docker container/image containing
There was a problem hiding this comment.
Grammatically, I think the sentence should be "A geodesic module is a docker container/image which contains all the code necessary to deploy infrastructure" except I still don't know what that means. Maybe it's supposed to be "...all the code necessary to deploy itself"?
There was a problem hiding this comment.
@Nuru thanks for checking this out.
How is this? I really want to make sure this is clear. If you don't understand it, others won't either.
A geodesic module is a docker container/image which contains all the Infrastructure as Code necessary to provsion logically related IaaS resources (e.g. AWS Organizations, IAM Roles/Permissions, CDNs, S3 Buckets, Kubernetes Clusters, etc).
content/geodesic/module/_index.md
Outdated
| - [Multi-stage Docker Builds]({{< relref "tools/docker/best-practices.md#multi-stage-builds" >}}) | ||
| - [Terraform Root modules]({{< relref "terraform-modules/root/_index.md" >}}) | ||
| - [Terraform Modules](/terraform-modules/) | ||
| - [Polyrepos]({{< relref "glossary/polyrepo.md" >}}) to logically organize infrastructure. Use modules to import logic. |
There was a problem hiding this comment.
to logically organize infrastructure and use modules to import logic
content/geodesic/module/_index.md
Outdated
| - [Terraform Modules](/terraform-modules/) | ||
| - [Polyrepos]({{< relref "glossary/polyrepo.md" >}}) to logically organize infrastructure. Use modules to import logic. | ||
|
|
||
| We prefer the polyrepo approach to the monorepo approach when it comes in infrastructure. Git repositories allow us to surgically tag/version parts of infrastructure. |
There was a problem hiding this comment.
Reworded.
Git repositories allow us to surgically tag/version infrastructure code that represents some kind of business logic.
content/geodesic/module/_index.md
Outdated
|
|
||
| The [`root.cloudposse.co`](https://github.com/cloudposse/root.cloudposse.co) module represents an organization's "root" or "top level" AWS account. This is typically your billing organization and handles IAM user account provisioning. | ||
|
|
||
| It should also use the `terraform` resource [`aws_organizations_organization`](https://www.terraform.io/docs/providers/aws/r/organizations_organization.html) to provision all the subaccounts below. |
content/geodesic/module/_index.md
Outdated
|
|
||
| ## prod.cloudposse.co | ||
|
|
||
| The [`prod.cloudposse.co`](https://github.com/cloudposse/prod.cloudposse.co) module represents an organization's "production infrastructure". It's a subaccount (organization) of the [`root.cloudposse.co`](https://github.com/cloudposse/root.cloudposse.co). |
There was a problem hiding this comment.
It's a subaccount (organization)
Organization here sounds overloaded.
Maybe just subaccount or member account?
content/geodesic/module/_index.md
Outdated
|
|
||
| ## dev.cloudposse.co | ||
|
|
||
| The [`dev.cloudposse.co`](https://github.com/cloudposse/dev.cloudposse.co) module represents an organization's "development infrastructure". This module is used as a sandbox environment where developers and test the waters and get familiar with AWS. We prescribe that organizations give all developers "Administrator" level privileges to this account in order to give them an unfettered opporutnity at developing infrastructure. |
There was a problem hiding this comment.
Nice simplification. Always point these out to me.
content/geodesic/module/_index.md
Outdated
|
|
||
| ## audit.cloudposse.co | ||
|
|
||
| The [`audit.cloudposse.co`](https://github.com/cloudposse/audit.cloudposse.co) module represents an organization's "audit logs infrastructure". By leveraging our [`terraform-aws-cloudtrail`](https://github.com/cloudposse/terraform-aws-cloudtrail) and [`terraform-aws-cloudtrail-s3-bucket`](https://github.com/cloudposse/terraform-aws-cloudtrail-s3-bucket) modules, we make it exceptionally easy to ship CloudTrail logs from all your organizations to one central, highly restrictive organization whose sole purpose is to provide a tamper-proof, encrypted, system of record for infrastructure logs with [lifecycle rules]({{< relref "terraform/tips-tricks.md#s3-bucket-lifecycle-rules" >}}). |
There was a problem hiding this comment.
from all your organizations
From all your accounts in the organization?
Or from Organizational Units (OUs)?
There was a problem hiding this comment.
highly restrictive organization
highly restrictive account?
content/geodesic/module/_index.md
Outdated
|
|
||
| ## testing.cloudposse.co | ||
|
|
||
| The [`testing.cloudposse.co`](https://github.com/cloudposse/testing.cloudposse.co) module represents an organization used for continuous integration testing of infrastructure code. By provisioning a separate, dedicated organization for this we are able to silo testing infrastructure so it doesn't pollute or in any way impact other environments. |
There was a problem hiding this comment.
represents an organizational unit used for continuous integration?
There was a problem hiding this comment.
for continuous integration and testing of infrastructure code
There was a problem hiding this comment.
By provisioning a separate, dedicated organizational unit (or just account) for this
content/glossary/monorepo.md
Outdated
| tags: | ||
| - polyrepo | ||
| - monorepo | ||
| description: "Monorepo refers to a strategy of storing all code for possibly unrelated applications with in the same source code repository." |
content/glossary/stage.md
Outdated
| @@ -3,10 +3,18 @@ title: "Stage" | |||
| description: 'One of the phases in the SDLC where by software is deployed to an environment. Common stages are “Production”, “Staging”, “QA” or “Development”' | |||
content/glossary/stage.md
Outdated
| tags: | ||
| - environment | ||
| - sdlc | ||
| - prod | ||
| - staging | ||
| - dev | ||
| --- | ||
|
|
||
| It's important to note that within a given stage, there might be multiple environments. We always prescribe separating multiple stages by using multiple AWS organizations. Then provisioning multiple environments within that stage as necessary. |
There was a problem hiding this comment.
by using multiple AWS accounts or organizational units
content/glossary/stage.md
Outdated
|
|
||
| It's important to note that within a given stage, there might be multiple environments. We always prescribe separating multiple stages by using multiple AWS organizations. Then provisioning multiple environments within that stage as necessary. | ||
|
|
||
| For example, the "staging" organization might run "pre-production" and "QA" environments. |
| @@ -0,0 +1,10 @@ | |||
| FROM r.cfcr.io/cloudposse/terraform-root-modules:0.1.0 as terraform-root-modules | |||
There was a problem hiding this comment.
should we get it from Docker Hub instead of CodeFresh for the example?
|
|
||
| Here's what it looks like in practice: (only relevant portions) | ||
|
|
||
| {{% include-code-block title="" file="terraform-modules/root/examples/Dockerfile" language="Dockerfile Snippet" %}} |
There was a problem hiding this comment.
is it correct language="Dockerfile Snippet"?
content/terraform/tips-tricks.md
Outdated
| {{% include-code-block title="Example: Encrypted S3 Bucket" file="terraform/examples/encrypted-s3-bucket.tf" language="hcl" %}} | ||
|
|
||
| For an example of how we use it, check out our [`terraform-aws-s3-log-storage`](https://github.com/cloudposse/terraform-aws-s3-log-storage) module. | ||
|
|
||
| # Use Pre Commit Hooks for Linting | ||
|
|
||
| We strongly urge that all code be linted prior to checking into to git. Running `terraform fmt` on the codebase before committing will accomplish this. |
|
|
||
| Inheritance is when you use `FROM some-image:1.2.3` (vs `FROM scratch`) in a `Dockerfile`. We recommend to leverage lean base images (E.g. `alpine` or `busybox`). | ||
|
|
||
| Try to leverage the same base image as many of your images as possible for faster `docker pulls`. |
|
|
||
| # Use Scratch Base Image | ||
|
|
||
| One often overlooked, ultimately lean base-image is the `scratch` image. This is an empty filesystem which allows one to copy/distribute the minimal set of artifacts. For languages that can compile statically linked binaries, using the `scratch` base image is the most secure docker image as there will be no other exploitable packages in the image. |
There was a problem hiding this comment.
using the scratch base image is the most secure way
content/tools/helm.md
Outdated
| --- | ||
|
|
||
| {{< img src="/assets/helm-d7685fec.png" title="Helm Logo" class="logo" >}} | ||
|
|
||
| Helm makes it easy to install `charts` (a application) on kubernetes clusters. Just like `npm` or `apt` make it easy to install NodeJS modules and Debian packages, `helm` makes it easy to deploy a a full-fledged application with all of its dependencies on kubernetes. |
content/tools/helm.md
Outdated
| --- | ||
|
|
||
| {{< img src="/assets/helm-d7685fec.png" title="Helm Logo" class="logo" >}} | ||
|
|
||
| Helm makes it easy to install `charts` (a application) on kubernetes clusters. Just like `npm` or `apt` make it easy to install NodeJS modules and Debian packages, `helm` makes it easy to deploy a a full-fledged application with all of its dependencies on kubernetes. |
There was a problem hiding this comment.
deploy a full-fledged application
what
why